Verticals Targeted: None specified
Regions Targeted: Russia
Related Families: None
Executive Summary
ClayRAT, a sophisticated Android spyware campaign targeting Russian users, leverages Telegram channels and phishing sites to distribute malicious APKs disguised as popular apps. Its rapid evolution, extensive surveillance capabilities, and self-propagation via SMS make it a significant threat to mobile security.
Key Takeaways
- ClayRAT is distributed through Telegram channels and phishing sites mimicking trusted apps like WhatsApp and YouTube.
- It abuses Android’s default SMS handler role to exfiltrate sensitive data without user prompts.
- ClayRAT self-propagates by sending malicious links to all contacts in the victim’s phone book.
- Over 600 samples and 50 droppers were observed in three months, with increasing obfuscation techniques.
What is ClayRAT?
A new Android spyware, dubbed ClayRAT, has emerged as a formidable threat, primarily targeting users in Russia. Identified by Zimperium zLabs researchers, this campaign has rapidly expanded over the past three months, with over 600 samples and 50 droppers detected. The spyware’s aggressive distribution tactics, advanced obfuscation, and abuse of Android’s default SMS handler role make it a critical concern.
ClayRAT employs a multi-faceted distribution strategy that exploits user trust through social engineering. The malware is primarily disseminated via Telegram channels and phishing websites that impersonate popular applications such as WhatsApp, Google Photos, TikTok, and YouTube. These phishing sites, often designed to mimic legitimate services, host malicious APKs disguised as app updates or feature add-ons. For instance, domains mimicking services like GdeDPS redirect users to Telegram channels, where malicious APKs are distributed alongside step-by-step installation instructions. These instructions guide users to bypass Android’s security warnings, increasing the likelihood of successful infections. The campaign further enhances its credibility with fabricated social proof, including staged comments and inflated download counts, to lower user suspicion.
A key feature of ClayRAT is its session-based installation technique, particularly in variants designed to evade Android 13’s restrictions. Some samples act as droppers, presenting a fake Google Play update screen while hiding the encrypted payload within the app’s assets. This method reduces perceived risk, tricking users into installing the spyware. Once installed, ClayRAT requests the default SMS handler role, granting it extensive access to SMS content and messaging functions without requiring individual runtime permissions. This capability allows the spyware to read, store, and forward SMS messages, intercept events, and access SMS databases, enabling covert surveillance and data theft.
ClayRAT’s functionality is extensive, supporting a range of remote commands that enhance its surveillance and propagation capabilities. It can exfiltrate SMS messages, call logs, notifications, and device information, as well as capture photos using the front-facing camera. The spyware can also initiate calls or send SMS messages from the victim’s device. A particularly alarming feature is its self-propagation mechanism, where it sends malicious links to every contact in the victim’s phone book, leveraging trust to fuel exponential spread. This turns each infected device into a distribution node, amplifying the campaign’s reach without additional infrastructure.
The spyware communicates with its command-and-control (C2) server via standard HTTP, using Base64-encoded payloads with a marker string, “apezdolskynet,” for obfuscation. An alternate variant employs AES-GCM encryption and dynamically loads encrypted payloads, further complicating detection. The rapid evolution of ClayRAT, with new layers of packing and obfuscation, underscores the operators’ commitment to evading security defenses.
ClayRAT’s sophisticated tactics, combining phishing, Telegram-based distribution, session-based installers, and SMS-driven propagation, highlight the evolving mobile threat landscape. Its abuse of Android’s SMS handler role and rapid growth pose significant risks. As the campaign continues to evolve, ongoing vigilance and advanced detection mechanisms are critical to mitigating its impact.
IOCs
PolySwarm has multiple samples of ClayRAT.
b21a2162c5bc9340671840618f236d2655d1107bdc2a203a2ad6f2a00df0081e
e791d7007a58f7b8d336f9e2b1bd8fc8c7e120b610b857b6e7a7121c86c3909f
bc2fc09b00a25ff10b1ec85653d1b628e138a22b26cf69095a458434733900c2
ac2c0b4a338622b4d3a16929d4071dba7ca229032b7d31f233cc97aef11910c0
9de3a9a8dfa4c04293b3544c90fc242a7f87931ce71e31405b59227bdea589dc
d56d4a56b9e94b560a9ffa037302da74eaecaf5d6533fae10e9e24c68d18dbf4
e6ae35b9e5d04187ba5cf6a012f28f1083c489d65a1b9d12c86721813ed775ad
7fd3494c0320de52826fc2945e0685e2738069317a97d27fdb8bf4b9ee51aed3
43a83c66a59624cb38b0b30eef16b36c3eb3522d5b4ac6dd71e273c1c72bff2f
712f246778ce5ab3f8cadc5279ac63b543a5a7d66449a9ba49927a4416e8c535
90980238433b624014837bf978a34d269b442358117a8ad9925a7e795a24fca6
506c379b0f526de45d9e23da46e98ef5f1003d6a2733ff9b75bb1cdd816519d2
73d75564c9d682b389c0bab411549f161ac9daa1a4127cefef690df30d78bc88
5e6d31174d3143df1431e4edab2a660897b19e01999aec8ff22694eb252dfaf4
c52cce4c0ebdfd144dae9ef12000b275de285c4ec4892af6d8bfe23dac2b0b26
c1bae8ab59d27e73f672bbd4379968b470330c15741cab0eff221e1643929fe9
e679380c73b2cfb30e0c884e4f8e4a85417afd3bb9713b22ec85affc86502908
3aab14f743bbaab57ae43d05968b75cb6a9e32d9168066808178da122c4bbdb0
790fa8bdeab57e4bbcb8a655b534ca26ba7c14d40e30f7722a5a5b5be2994c58
8e46f993eb2767b1eaf0f2905437ae56685c2745f2a7df430bf0b835a9c4f5d5
61435743b270dffe3108a7543ab369ed0f9be7a4928ab9faf56c83d29d2fd626
2c4286e95e49d85e454bbe346704552041d99fcceb2341f1d6ec9b2bbf2f73e8
0c96b84bc6b764ee204d3d64a807d4d76e8c07ebaff38dbd194d5015819aedb5
d54aabe9e22449290e8342f29820ae7c0b69c066bd0a4e4d989f265db50afe98
d3225bcbc0fb60099178395ad86b2da984b3ef2492054ef7e90eee65f7153b6f
f0dee202ad6f650e47d53a68147fbcb35c665c4581143f56617a87b9d1613def
0770e15534e00fefb5cab1a2e21e5c892ca9c3f72d88f93df021da0677baabdc
37469f40877e154b04ff4fba7919ef4ae129751acdd4a3555748625300e72db8
ea7a642657bd2de5e6580740f5c1d04f197724203a1c47dbd65037e84e6d6ac0
f809d184fb65897374cee6f87a8ae61961f6647d84b1f248d7076ef07c8ec476
f8bd5804bcbd9a0ddbd4e4379131acff90e8053e7638b017a7045d46be1e3a53
6456d07dc5e21ff361b8d5c3675df3ce7457d3fa35c1b8fdc1b3fa6ff217ab4a
b18fc774b3d5c1bf5b313a46350c31b5712d1af1513f410f64a36090ede465d8
be24247c87ca9bf97d310ad950a16b01464f2fbc3a0939a38e07db1682f74fed
eab6797496082603c2cce771dca0b50fbd2188882cfaf7ace73c2186e05d1a9f
3274e6d75c24aa958dca7bdd28226088b2c495740fc6f5844609ff34f54fbac0
dc08c9093eb3dc4e34ac5d1048b80f0bbc1d6c24ae1ef5f41ceafa0367e9c9d2
a9c01cdd77d1147cfd8c026766aa12268b245d20243ac3ba0883caeb2009dad2
265dac86b151cae94290013cbb1ab0cfe2f9dadb8f508ab724d5da5782131977
494a06d57eb89a3f913750d797578e24a962c03b028a2531633e8bea9c84cd56
35892b8e0a55b92abd521774d89c45ec3bfb400b7359f7874bfdd15f9fd7a49b
648534dbf6ae182d40ebead558b83fe591fb6e99143744d38033c2d4afed6bec
6d406f1afb4408857fa2cdf69d40f2a727649482714c31c65868fb66cfc9ccfb
bf88ef9eef8e0b6df11639b6954c175511476be6cee3c1e06029923e81f931a5
8929dd96f3a41dd21a4bdc0bdd676249b8c24f2f520e8c8314284bfa36cb1962
4084008b952fff8718bf1aa5248ab77219ff5bd7755e179e5c724fab152c4979
6d9900426654351faa19e09f8f41f23c9c5132fbc3d8a429546f4fa7185bd63f
You can use the following CLI command to search for all ClayRAT samples in our portal:
$ polyswarm link list -f ClayRAT
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
